Zero Trust Explained | Real World Example

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what is zero trust well that depends who's asking zero trust is critical to protect us from hackers and cyber crime in the modern world before we talk about what zero trust is let's start by talking about what zero trust is not it is not a piece of new technology it is not a protocol it is not a product that you go out you buy you set up and suddenly you have zero trust now it's better to describe zero trust as a security concept or a framework the goal is to trust nothing instead we must continuously authenticate authorize and assess every user and every device zero trust is achieved using a mixture of security policies and the right security tools and speaking of tools let me say a big thank you to our sponsor of this video twin gate twin gate offers super easy highly configurable remote access to your home or business Network work using Advanced user authentication limiting users to just what's needed and assessing the security Heth of your device makes twin gate a great tool for our zero trust Arsenal we'll talk more about this later and I'll show you how you can get started implementing your own zero trust using twin gate by the way it's not going to cost you anything okay so to fully understand the problem that zero trust solves we need to go back a few years a traditional Network looks something in like this we have our computers our servers and our applications sitting inside our Network these are all protected from the outside world by our routers and our firewalls this is called perimeter based security because all of these devices are owned by the business and connected to the same network we can control them using things like group policy for configuration or active directory for authentication and our firewalls control which traffic traffic is allowed in and out we can even control the physical access to the devices and the infrastructure by controlling who has access to the buildings or the server rooms we use things like ID cards and passcodes we call this The Trusted Network because we have complete control over these devices everything on the outside however which we don't control this is called the untrusted network people often use the analogy of a medieval castle to describe this approach the castle protects everything inside from the outside attackers with high walls and Moes now this setup worked well for a long time however the idea of perimeter security has been facing challenges in recent years some of these challenges that businesses are facing are cloud computing and web apps now most businesses are using a combination of web applications and cloud computing Services these applications and services can be accessed from anywhere on any device remote working users are not always in the physical office Network sometimes they're working from home in a coffee shop or any other public Wi-Fi how do we then provide access to the resources the user needs while still ensuring they're using a safe connection and how can we ensure they actually are in fact who they say they are user owned devices users are not always using company-owned devices users may want to use their own phones or tablets or laptops to connect to the corporate data and services well then how do we ensure that these devices are free from malware and secure enough to access our company resource and one of the biggest problems with perimeter-based security is something called lateral movement if an attacker can find just one weakness in the perimeter and get access access then the explicit trust gives the attacker access to the other resources within the network all of these problems have gradually been increasing in recent years however the pandemic skyrocketed these and it was clear that the traditional perimeter security approach was no longer able to protect this new way of working so a new solution needed to be found and this brings us to zero trust now I've said this already but zero trust is not a single product that can be implemented overnight it's a security architecture that needs to be built over time using different Technologies products and policies many security vendors have their own approach to zero trust and how it can be implemented but I'm going to be talking about some of the core principles that make up zero trust and then we're going to get handson with a real world example at its core zero trust does exactly what it says on the tin it removes all trust in users devices and networks a phrase often used to describe this is Never Trust always verify it doesn't matter if you're sitting in a coffee shop at home or in the office behind company firewalls you are treated exactly the same you are only trusted once you can prove otherwise now I like to call this guilty until proven innocent now the way to prove your innocence is to be verified this is done based on several factors including things like credentials the device being used and the location of the request for example let's say you want to access a company resource before your request is granted your credentials will be checked to ensure you are who you say you are you may then be prompted for an MFA this is all pretty standard stuff but then we can go further by checking things like the the security health of your device this could include checking that the operating system is up to date and that endpoint protection is installed your geolocation could also be looked at maybe only requests from certain countries will be accepted countries where the business only operates in for example several of these checks can be made before you are verified the key Point here though is even if you pass verification once that does not automatically mean you are trusted a key part of zero trust is that every request should be continuously and dynamically verified every single time this stops Hackers from taking advantage of things like open sessions and trusted access okay as the name suggested zero trust is all about removing all trust from every request but there is more to it than that the next principle is that of least privilege now least privilege means only providing the minimum level of privilege needed to do a task seems pretty obvious right well this is often easier said than done implementing this in applications and services not designed for zero trust can sometimes be tricky as humans we also want to be as helpful as possible often giving much more access to users than needed or giving access temporarily and never actually removing it this is a weakness and the attackers do take advantage of this a common example of giving too much privilege is when all users have local admin rights this is great for the user because they can install applications run tasks that require permissions all without interruption however this also means that malware or hackers using this account have much more access to the device this is great for hackers but it's bad news for us with the right tools and policies in place we can ensure that any user application or device only has the permissions required to do what's needed and not a single bit more an example of this is something called just enough access this is where we provide only the necessary access required for a job there's also something called Just in Time access this is where we can provide access to resources such as virtual machines only for a set amount of time once this time is up the access is then removed the last principle of zero trust that we will discuss is a sum breach now this means that we're not just trying to stop cyber attacks but we're going to assume that the systems will be breached at some point if they haven't already by taking this mindset we can start to plan our defenses for if the worst should happen the first thing to do is segment our systems to reduce reduce the blast radius what this means is we reduce the Damage Done if an attacker is able to get access we can reduce the area of a network they can access by using network segmentation and we should also use user Bas segmentation to limit the scope of the credentials as well as reducing the blast radius we must Implement measures to detect and respond to these breaches we must ensure we have the tools to provide visibility and the tools and services to respond to threats in real time okay so we now know the theory behind zero trust and why it's so important but how do we actually start to implement this stuff well as mentioned at the start of this video complete zero trust cannot be achieved with just a single tool or service you need a range of tools and policies to implement zero trust but let me give you a real world example so you can get Hands-On with some zero trust tools the tool we're going to be looking at is called twingate which provides something called zero trust network access also known as ztna zero trust network access provides everything we've already spoken about in-depth verification and least privileged policies for your users who need access to the corporate resources now don't worry because twin gate is completely free for up to five users which is more than enough for your home networks and for small teams so here is my home network in my network I have a Nas or network attached storage this NAS Drives hold all of my video files I want to be able to access this Nash drive from anywhere I could be at home in a coffee shop or on the road I need to be able to access my Nash Drive I also have an editor called Peter and I may want Peter to access my Nash drive as well now of course I could use a simple VPN to do this however I want to implement the zero trust principles of verification device compliance and least privileged twin gate makes this super simple to do so let's get this set up now the first thing we need to do is go over to tate.com and set up a free account just go over to try twin gate for free once we've done that and signed in it's just a simple three-step process we need to set up a network set up a connector and then install the client so first we need to set up a network we'll hit the add remote Network button this is the network we want remote access to so as we can see we have options for the three major Cloud providers AWS aure and Google Cloud but in my case I'm going to select on premise Because by the Nash drives at my house so we select on premise and then we're going to give it a name so I'm going to go with home cuz it's my home network then hit add remote Network and just like that we have our first network but it's currently empty but don't worry we are going to fix that and this is where we Implement our first bit of zero trust instead of giving access to the entire network here I'm going to specify exactly what can be accessed and we do that using a resource so I'm going to click create resource then I'll give it a name this is going to be my Nas and then I'm going to give it the IP address the IP address for my NAS drive is 192.168.1 187 not only am I going to restrict the IP address but I'm also going to restrict the ports that can be used to access my NAS drive so I'll do that by clicking ports and for TCP I'm going to allow Port 5000 which is the port for the web admin and I'm going to allow the port number 445 this is for SMB which will allow me to access the files remotely then I'll just disable UDP and I'll disable icmp as well so here's my IP address here are the only ports that you can access it on and then I'll click create resource you're then asked to select which users will have access by default you have an everyone's group and it's just me so I'll select that and hit the add button okay so now we have our Network and our resource defined we now need to deploy a connector this connector sits somewhere in the network and is what makes the connection possible so to deploy the connector I just have to click on one of these interestingly named connectors on the left hand side so I'll go with Classy bobcat and then we're taken to the deployment page as we can see we have tons of different options to deploy the connector all are pretty straightforward but to be honest the easiest one is going to be Docker so that's the one I'll select s I'll click Docker and then all we need to do is generate some tokens so I'll scroll down hit the generate tokens button of course we have to authenticate remember verify everything so we'll relog in and once generated the tokens will be added to the command at the bottom now all we need to do is run this command on some type of machine now this could be a computer you have lying around the house windows or Linux it doesn't matter it could be a raspberry Pi or it could even be the NAS drive itself assuming it supports Docker in my case I'm going to use a virtual Ubuntu machine so I'll pull up that machine here log in and all I have to do is open up a terminal the first command to run is pseudo a update and this will go through looking to update all of your packages then the next next command is pseudo a install docker.io now this command will install Docker on the virtual machine again this will only take a minute to go through once done we just need to take that command from Twin gate and paste it into here but do not forget to type pseudo before you copy it all it will probably fail so go back to Twin gate click the copy command button go back to our virtual machine and paste that in hit the enter button and it will start to work its way through so now that's completed we can go back to Twin gate and check to see if the connector is now online so it currently says not connected but if I hit the refresh button with a bit of luck as we can see the status has now changed to Connected meaning our connector is now live and working we do have the option to add multiple connectors for rgency but I'm just going to leave it as the one for now so now we have our resources defined our connector deployed now the only thing left is to download the client and test it out okay so I have my iPad here and I'm going to pretend that I'm on the road now it's Ted to my mobile so it's a completely separate Network to my local network here to download the client we need to go to Twin gate.com slown and as you can see we have a download option for pretty much every device now of course I'm on iPad so I'm going to choose iOS and hit the download button okay so I have the client but before I connect I want to show you that it will fail if I tried to access my NAS drive from here so I'm going to open up the browser going to go to a new tab and remember that IP address that local IP so it's HTTP colon for1 192.168.1 187 and the port number for the web admin page is 5,000 so I'll press the enter button and yep as expected it looks like is going to fail so now what I'm going to do is connect to that client so we will log in and I'll will ask for a couple of prompts and now I'm connected to the client so with a bit of luck if I go back to my browser hit the refresh button I now have access to my Nas web admin remember I'm teed off my phone on the mobile network which is completely separate to my local Network here an important note here is I'm actually using the local IP address for my NAS drive as if I was sat in the local network I don't need to mess around with port forwarding or DNS names super simple to set up so I should even be able to create a network share from here so if I open up the files app press these dots at the top and connect to server I should be able to type in that local I address hit the enter button use a registered user user for my NAS drive it requires authentication and yes now I've connected to the nas Drive via a shared Drive I click onto my videos and then go to Sur Bros videos archives and now I have access to all of the files I need securely from anywhere in the world remember we're applying the principles of zero trust so let me just show you what happens if I try to get access to my home router so we already know I have access to the NAS drive but if I were to go to my home router which is 192.168.1.254 and press enter again it fails because I'm only given access to my NAS drive and those port numbers we specified everything else is out of bounds no access whatsoever this is the principle of least privilege only given enough access to do the job now we can go even further and to do that we need to go back over to Twin gate we can even assess the devices that are allowed to connect if we go over to devices and then security here we can set the minimum device requirements before they're allowed to connect things like screen locks must be enabled and antivirus must be installed and encryption is required this all adds yet further verifications to our connections meaning just because someone has the right credentials doesn't mean they'll be allowed to connect so for example if I want to allow iOS devices to connect to my NAS drive I probably don't want devices without a screen lock to be able to connect because anyone could just pick it up off the desk and then access my files so I can come over to here click screen lock not required and change that to required and confirm the changes now any iOS device that doesn't have a screen lock will not be allowed to connect to my NAS drive again adding further protection to my data so if you want to get handson with some zero trust and secure your network connections use the link below for your free twin gate account okay so there we have it zero trust is not a single tool or technology instead it's a concept achieved by implementing security policies and tools that align with the core principles of never trust always verify if you like this video and you got some value from it don't forget to give it a thumbs up leave a comment and subscribe the support from you guys really helps this channel grow a big thank you to Twin gate for sponsoring this video you can find the link below and remember it's completely free thank you for watching [Applause] [Music] he

Info

Channel: CertBros

Views: 12,427

Rating: undefined out of 5

Keywords: zero trust, zero trust security, zero trust security model, what is zero trust, zero trust network access, zero trust explained, twingate, vpn

Id: Y3DjoTiOiOU

Channel Id: undefined

Length: 21min 46sec (1306 seconds)

Published: Tue Oct 17 2023